94 lines
4.0 KiB
Diff
94 lines
4.0 KiB
Diff
From 62a3ffcb42d9af23715f21a8c9b5d688c31c999d Mon Sep 17 00:00:00 2001
|
|
From: rpm-build <rpm-build>
|
|
Date: Fri, 2 Nov 2018 11:46:26 -0400
|
|
Subject: [PATCH] compose: Don't require SELinux policy in legacy path
|
|
|
|
In #1630, we lowered SELinux policy loading into the core. However, this
|
|
also enabled SELinux policy loading from the host system even in the
|
|
legacy (non-unified) compose path. This meant that compose systems now
|
|
needed to have the policy installed even though we didn't need it at
|
|
all. This caused regressions in pungi:
|
|
|
|
https://pagure.io/dusty/failed-composes/issue/956
|
|
|
|
Just make the binding of the "selinux" member conditional on whether or
|
|
not we're in unified mode (which is really when we even care about
|
|
having it loaded from the start for pkgcache purposes).
|
|
|
|
Closes: #1656
|
|
Approved by: cgwalters
|
|
---
|
|
src/app/rpmostree-compose-builtin-tree.c | 1 +
|
|
src/app/rpmostree-composeutil.c | 16 ++++++++++++++--
|
|
src/app/rpmostree-composeutil.h | 1 +
|
|
3 files changed, 16 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/app/rpmostree-compose-builtin-tree.c b/src/app/rpmostree-compose-builtin-tree.c
|
|
index 620fa36..4e9d45c 100644
|
|
--- a/src/app/rpmostree-compose-builtin-tree.c
|
|
+++ b/src/app/rpmostree-compose-builtin-tree.c
|
|
@@ -576,6 +576,7 @@ rpm_ostree_compose_context_new (const char *treefile_pathstr,
|
|
self->treespec = rpmostree_composeutil_get_treespec (self->corectx,
|
|
self->treefile_rs,
|
|
self->treefile,
|
|
+ opt_unified_core,
|
|
error);
|
|
if (!self->treespec)
|
|
return FALSE;
|
|
diff --git a/src/app/rpmostree-composeutil.c b/src/app/rpmostree-composeutil.c
|
|
index 820ecfd..621bc85 100644
|
|
--- a/src/app/rpmostree-composeutil.c
|
|
+++ b/src/app/rpmostree-composeutil.c
|
|
@@ -241,6 +241,7 @@ RpmOstreeTreespec *
|
|
rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
|
|
RORTreefile *treefile_rs,
|
|
JsonObject *treedata,
|
|
+ gboolean bind_selinux,
|
|
GError **error)
|
|
{
|
|
GLNX_AUTO_PREFIX_ERROR ("Parsing treefile", error);
|
|
@@ -255,8 +256,6 @@ rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
|
|
return FALSE;
|
|
if (!treespec_bind_bool (treedata, treespec, "recommends", TRUE, error))
|
|
return FALSE;
|
|
- if (!treespec_bind_bool (treedata, treespec, "selinux", TRUE, error))
|
|
- return FALSE;
|
|
if (!treespec_bind_array (treedata, treespec, "install-langs", "instlangs", FALSE, error))
|
|
return FALSE;
|
|
{ const char *releasever;
|
|
@@ -267,6 +266,19 @@ rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
|
|
g_key_file_set_string (treespec, "tree", "releasever", releasever);
|
|
}
|
|
|
|
+ if (bind_selinux)
|
|
+ {
|
|
+ if (!treespec_bind_bool (treedata, treespec, "selinux", TRUE, error))
|
|
+ return FALSE;
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ /* In the legacy compose path, we don't want to use any of the core's selinux stuff,
|
|
+ * e.g. importing, relabeling, etc... so just disable it. We do still set the policy
|
|
+ * to the final one right before commit as usual. */
|
|
+ g_key_file_set_boolean (treespec, "tree", "selinux", FALSE);
|
|
+ }
|
|
+
|
|
const char *input_ref = NULL;
|
|
if (!_rpmostree_jsonutil_object_get_optional_string_member (treedata, "ref", &input_ref, error))
|
|
return FALSE;
|
|
diff --git a/src/app/rpmostree-composeutil.h b/src/app/rpmostree-composeutil.h
|
|
index e3e64c6..3d91f58 100644
|
|
--- a/src/app/rpmostree-composeutil.h
|
|
+++ b/src/app/rpmostree-composeutil.h
|
|
@@ -47,6 +47,7 @@ RpmOstreeTreespec *
|
|
rpmostree_composeutil_get_treespec (RpmOstreeContext *ctx,
|
|
RORTreefile *treefile_rs,
|
|
JsonObject *treedata,
|
|
+ gboolean bind_selinux,
|
|
GError **error);
|
|
|
|
GHashTable *
|
|
--
|
|
2.17.1
|
|
|